Modern portable computing devices often provide more than adequate computing resources, causing their popularity to increase over more traditional, non-portable computing devices. Unfortunately, portable computing devices introduce risks not often associated with non-portable computing devices. Foremost among these risks is the risk of data protection when the computing device itself may be lost, stolen or otherwise end up wholly within the possession of unknown or malicious users.
Traditionally, the data contained within a volume of data, which is typically stored on a data storage hardware device, such as a hard drive, is protected from unauthorized access by the computer-executable instructions of the computing device to which the data storage device is communicationally coupled. If the data storage device were, however, to be communicationally decoupled from a host computing device having such protective computer-executable instructions, the data could be accessed and its security compromised. Thus, a user with access to the host computing device, such as a malicious user who has obtained a lost or stolen portable computing device, can physically remove one or more data storage devices from such a portable computing device, and seek to obtain information from such data storage devices outside of the context of the portable computing device.
To prevent such unauthorized access of data, the notion of “full volume encryption” was developed, whereby all of the relevant data stored on a data storage device was stored in an encrypted manner. Consequently, even if such a data storage device were to be independently accessed, through a computing device having no executable instructions for the protection of the data, the data could, nevertheless, remain protected, since it would be physically stored in an encrypted manner.
To increase the efficiency of such full volume encryption, the task of encrypting and decrypting data can be performed by hardware associated with the storage device itself, instead of by the central processing unit of the host computing device. Such hardware encrypting storage devices appear, to higher level components, such as the operating system or application software, as traditional storage devices. However, upon receiving data for storage, such hardware encrypting storage devices automatically encrypt the data before placing it on the storage medium. Similarly, when reading data, a hardware encrypting storage device will read the data from the storage medium and decrypt it first, before providing it to higher level components.
Full volume encryption implemented by computer-executable instructions executing on the host computing device, as opposed to by the hardware of the storage device itself, can, however, provide greater flexibility. Specifically, whether implemented by the storage device or the computing device, to limit access to data protected by full volume encryption, the key used to encrypt and decrypt the data can be protected, such as by a password, a key card, a Trusted Platform Module, or similar security device. Unfortunately, should a user lose access to such a security device, a new key would need to be generated. Such a new key would require that the data be encrypted in such a manner that the new key could decrypt it. Consequently, the creation of such a new key would entail the computationally expensive, and lengthy, process of decrypting the volume and, subsequently, reencrypting it in such a manner that the new key could decrypt it. To avoid such inefficiencies, full volume encryption performed by a computing device, as opposed to by the storage device itself, can add one or more layers of indirection. Specifically, the key that can decrypt the data can, itself, be encrypted by another key. This second key can then be protected by a security device. Should a user lose access to the security device, only the second key would need to be changed, requiring only the decryption, and subsequent reencryption, of the first key, and not of all of the data itself. Unfortunately, full volume encryption performed by storage devices, such as hard disk drives, does not utilize such layers of indirection.